Congressional Hearing Notes 10-17-07
Joe Weiss
Wednesday October 17th, the Committee on Homeland Security held hearings on "The Cyber Threat to Control Systems; Stronger Regulations are Necessary to Secure the Electric Grid". Additionally, the Committee issued a letter to the Chairman of FERC requesting an investigation of how FERC, NERC, and the industry responded to the Aurora issue.
The first panel focused on the Aurora vulnerability (diesel generator tape made by INL and shown on CNN.
Mr. Greg Wilshusen, Director, Information Security Issues, Government Accountability Office
Mr. Greg Garcia, Assistant Secretary, Office of Cyber Security and Telecommunication, Department of Homeland Security
Mr. Tim Roxey, Technical Assistant to the President CGG/Security, Deputy to the Chair, NSCC & PCIS, Constellation Generation Group
The Congressional Chair mentioned that DOD/DHS want to form an organization of up to 2000 people to monitor critical infrastructure communications issues. Obviously, there will be technical and administrative issues including a willingness for private industry to share information.
The following questions were asked:
- What percentage of the industry has actually responded to the ERS ISAC Advisory on Aurora? Didn't know
- Did GAO agree with comments of the House Homeland Security on the FERC NOPR? Yes and should be considered for all sectors
- What can be done to find more vulnerabilities? Hold public hearings and nurture public/private partnership
- How long have people stayed at DHS and what can be done to retain personnel?
- How much will be spent by DHS on control systems? $12Million
- Are nuclear plants at the top of the risk category? Yes
- What is DHS's role to prevent cascading failures? Congress wants more than just a coordinator role - what needs to be done to add regulatory authority?
The next panel was focused on standards:
Mr. Joseph McClelland, Director, Office of Electric Reliability, Federal Energy Regulatory Commission;
Mr. David Whiteley, Executive Vice President, North American Electric Reliability Corporation
Mr. Joe Weiss, Managing Director, Applied Control Solutions;
Since I was part of this panel, I couldn't take notes. General comments:
- FERC was asked what was needed to be able to have regulatory authority
- FERC and NERC expressed that they did not have regulatory authority
- NIST SP800-53 is directly applicable to control systems and is more comprehensive than the NERC CIPs. After this discussion, David Whiteley acknowledged they didn't recognize the value of NIST SP800-53 and would relook at NIST SP800-53 in the next revision (up to 3 years from now)
- DOD technologies may not be directly relevant to industrial control systems, but their help should be enlisted. It should be noted that industry has received support from DOD before the specific individual moved to FERC.
- The Congressional Committee stated they were very uncomfortable with NERC's response and will hold further meetings on this subject.
- David Whiteley of NERC stated that if a house could affect the bulk electric systems, it needs to be addressed- this means AMI must be included.
In summary, the Congressional Committee stated they were very uncomfortable with NERC's response and will hold further meetings on this subject.